JP6364547B2 - System and method for classifying security events as targeted attacks - Google Patents

Description

  Computer security systems are often used to detect malicious attacks on computing devices. For example, the computing device can include a computer security system. In this example, the computer security system can detect malicious files that have infiltrated the computing device via the Internet.

  Unfortunately, some conventional computer security systems cannot distinguish between general malware and targeted attacks. For example, certain organizations (such as businesses and / or government agencies) may have computing devices that include conventional computer security systems. In this example, conventional computer security systems may not be able to determine whether a malicious security event represents a general malware or part of a comprehensive targeted attack.

  Even if certain conventional computer security systems can distinguish between common malware and targeted attacks, these security systems may rely on existing signature databases. As a result, these security systems may not be able to accurately classify such security events as targeted attacks if there are no signature updates specifically matched against unknown security events (eg, zero-day threats). is there. Accordingly, the present disclosure identifies and addresses the need for improved systems and methods that classify security events as targeted attacks.

  As described in more detail below, the present disclosure provides various systems and methods for classifying a security event as a targeted attack by comparing the security event with a targeted attack taxonomy that identifies various characteristics of the targeted attack. Describes the method.

  In one embodiment, a computer-implemented method of classifying a security event as a targeted attack includes: (1) detecting a security event associated with at least one organization; and (2) identifying the security event as a plurality of targeted attacks. Based on comparison with the targeted attack taxonomy that identifies the characteristics and (3) a comparison between the security event and the targeted attack taxonomy, the security event is likely to be targeting the organization And (4) categorizing the security event as a targeted attack in response to determining that the security event is likely to be targeting the organization. In this example, the method may further include notifying the organization that the security event is classified as a targeted attack.

  In one embodiment, the method may also include identifying multiple characteristics of the security event. In this example, the method may further include comparing a plurality of characteristics of the security event with a plurality of characteristics identified with the targeted attack taxonomy.

  In one embodiment, the method may also include determining the number of security event features that match a corresponding characteristic identified in the targeted attack taxonomy. In this example, the method may further include determining that the number of security event features that match a corresponding characteristic identified in the targeted attack taxonomy is above a certain threshold.

  In one embodiment, the method may also include calculating a taxonomy score that represents the likelihood that the security event is targeting the organization based at least in part on the comparison of the security event with the targeted attack taxonomy. Good. In this example, the method may further include determining that the taxonomy score is above a certain threshold. Additionally or alternatively, the method may include weighting at least one of the characteristics identified in the targeted attack taxonomy to increase or decrease the effect of the characteristic in calculating the taxonomy score. .

  In one embodiment, the targeted attack taxonomy may include multiple categories. In this example, each of the multiple categories may include multiple characteristics of the targeted attack. Additionally or alternatively, the method may calculate a category score for each category within the plurality of categories included in the targeted attack taxonomy based at least in part on a comparison of the security event with the targeted attack taxonomy. May be included.

  In one example, the method may also include determining that each category score is above a corresponding threshold. Additionally or alternatively, the method may include calculating a taxonomy score that represents a likelihood that the security event is targeting the organization based at least in part on each category score. The method may further include determining that the taxonomy score is above a certain threshold. Further, the method may include weighting at least one category score to increase or decrease the impact of the category score in calculating the taxonomy score.

  In one embodiment, the method may also include collecting telemetry data related to security from at least one security system. In this example, the method may further include identifying a plurality of characteristics indicative of the targeted attack in the security related telemetry data. Additionally or alternatively, the method may include creating a targeted attack taxonomy from a plurality of characteristics indicative of the targeted attack.

  As another example, a system for implementing the above-described method includes (1) a detection module stored in memory that detects a security event associated with at least one organization, and (2) (A) a security event. Compared to a targeted attack taxonomy that identifies multiple characteristics of the targeted attack, and then (B) a security event targeted to the organization based at least in part on the comparison of the security event with the targeted attack taxonomy In response to a determination that the security event is likely to target the organization, and (3) classifying the security event as a targeted attack A classification module stored in a memory; and (4) a detection module, a determination module, and a classification. It may include at least one processor to perform the Joule.

  As a further example, the method described above may be encoded as computer readable instructions on a non-transitory computer readable medium. For example, a computer-readable medium may include one or more computer-executable instructions that, when executed by at least one processor of the computing device, cause the computing device to: (1) at least one Detecting a security event associated with the organization; (2) comparing the security event with a targeted attack taxonomy that identifies multiple characteristics of the targeted attack; and (3) a security event and a targeted attack taxonomy. To determine that the security event is likely to target the organization, and then to determine that the security event is likely to target the organization, based at least in part on the comparison of In response to (4) security event targeted attack And it is classified as, may be performed.

  Features according to any of the above-described embodiments may be used in combination with each other according to the general principles described herein. These and other embodiments, features and advantages will be more fully understood by reading the following detailed description in conjunction with the accompanying drawings and claims.

The accompanying drawings illustrate several exemplary embodiments and are a part of the specification. Together with the following description, these drawings demonstrate and explain various principles of the present disclosure.
1 is a block diagram of an example system that classifies security events as targeted attacks. FIG. FIG. 3 is a block diagram of an additional exemplary system for classifying security events as targeted attacks. 3 is a flowchart of an exemplary method for classifying a security event as a targeted attack. FIG. 3 is a block diagram of an exemplary targeted attack taxonomy. FIG. 6 illustrates an exemplary targeted attack taxonomy. 1 is a block diagram of an example computing system that can implement one or more of the embodiments described and / or illustrated herein. FIG. FIG. 2 is a block diagram of an exemplary computing network that can implement one or more of the embodiments described and / or illustrated herein.

  Throughout the drawings, identical reference numbers and descriptions indicate similar, but not necessarily identical, elements. While the exemplary embodiments described herein are susceptible to various modifications and alternative forms, specific embodiments are shown by way of example in the drawings and are described in detail herein. Is done. However, the exemplary embodiments described herein are not intended to be limited to the particular forms disclosed. Rather, the present disclosure covers all modifications, equivalents, and alternatives falling within the scope of the appended claims.

  The present disclosure is generally directed to systems and methods for classifying security events as targeted attacks. By collecting security-related telemetry data from different security systems, as described in more detail below, the various systems and methods described herein indicate targeted attacks within security-related telemetry data. Multiple characteristics may be identified. These systems and methods may then create a targeted attack taxonomy from a plurality of characteristics identified in the security-related telemetry data.

  In creating a targeted attack taxonomy, these systems and methods may compare detected security events with the targeted attack taxonomy. By comparing detected security events with targeted attack taxonomies, these systems and methods generate new behavioral signatures specifically tailored to specific unknown security events (eg, zero-day threats). It may be possible to classify such security events as part of a targeted attack before. Thus, these systems and methods may facilitate a somewhat heuristic-based strategy (as opposed to a purely signature-based strategy) for classifying security events as part of a targeted attack.

  In the following, with reference to FIGS. 1-2, a detailed description of an exemplary system for classifying security events as targeted attacks is provided. A detailed description of the corresponding computer-implemented method is also provided in connection with FIG. A detailed description of an exemplary targeted attack taxonomy is also provided in connection with FIGS. In addition, a detailed description of an exemplary computing system and network architecture that can implement one or more of the embodiments described herein is provided in conjunction with FIGS. 6 and 7, respectively. Provided.

  FIG. 1 is a block diagram of an exemplary system 100 that classifies security events as targeted attacks. As illustrated in this figure, exemplary system 100 may include one or more modules 102 for performing one or more tasks. For example, as described in more detail below, the exemplary system 100 may include a detection module 104 that detects security events associated with at least one organization. The example system 100 also compares the security event to a targeted attack taxonomy that identifies multiple characteristics of the targeted attack, and then based at least in part on the comparison, the security event targets the organization. It may also include a determination module 106 that determines that there is a high possibility of being.

  In addition, as described in more detail below, the exemplary system 100 classifies a security event as a targeted attack in response to determining that the security event is likely targeting an organization. Module 108 may be included. Although illustrated as separate elements, one or more of the modules 102 of FIG. 1 may be a single module or application (security information management (SIM) application, security event management (SEM) application, and / or security information and An event management (SIEM) application, etc.) part may be represented.

  In certain embodiments, one or more of the modules 102 of FIG. 1 may cause the computing device to perform one or more tasks when executed by the computing device, or one or more software applications or It may represent a program. For example, as will be described in more detail below, one or more of the modules 102 may include the device shown in FIG. 2 (eg, computing device 202 and / or server 206), computing system 610 of FIG. 6, and / or 7 may represent software modules stored and configured to run on one or more computing devices, such as a portion of the example network architecture 700 of FIG. One or more of the modules 102 of FIG. 1 may also represent all or a portion of one or more dedicated computers configured to perform one or more tasks.

  As shown in FIG. 1, exemplary system 100 may also include one or more taxonomies, such as targeted attack taxonomy 120. The term “taxonomy” as used herein generally refers to any type or form used to classify security events based at least in part on certain characteristics and / or characteristics of security events. Refers to a set of ontologies, heuristics, models, and / or rules. In one example, the targeted attack taxonomy 120 may include and / or identify multiple characteristics 122 (1)-(N) of the targeted attack. In this example, characteristics 122 (1)-(N) may represent a set of previously observed features associated with a known targeted attack. Additionally or alternatively, characteristics 122 (1)-(N) may represent metadata regarding a particular behavioral signature used to classify security events as targeted attacks.

  Examples of characteristics 122 (1)-(N) include, but are not limited to, evidence of reconnaissance, detection of spear phishing emails, whether the attack is targeted at high value assets, leaked infrastructure sensitive data Loss prevention (DLP) detection, whether the attack is involved in fake distributed denial of service (DDoS), the use of a secret backdoor, the attack is involved in another dormant file that calls home sporadically Whether there is abnormal use of remote desktop and / or virtual network computing (VNC) tools, suspicious amount of network traffic sent by specific files associated with the attack, abnormal network behavior at night and / or weekend, One or more variants of them, whether they are involved in reading password files, One or more combinations of these, or include any other characteristic of a targeted attack.

  Targeted attack taxonomy 120 may represent a single database or computing device, or portions of multiple databases or computing devices. For example, the targeted attack taxonomy 120 of FIG. 1 may include portions of the computing device 202 and / or server 206 of FIG. 2, the computing system 610 of FIG. 6, and / or portions of the example network architecture 700 of FIG. May be represented. Alternatively, the targeted attack taxonomy 120 of FIG. 1 may include computing devices such as the computing device 202 and / or server 206 of FIG. 2, the computing system 610 of FIG. 6, and / or portions of the example network architecture 700 of FIG. It may represent one or more physically separate devices that can be accessed by a storage device.

  The example system 100 of FIG. 1 may be implemented in various ways. For example, all or part of the example system 100 may represent a portion of the example system 200 in FIG. As shown in FIG. 2, the system 200 may include a computing device 202 that communicates with a server 206 via a network 204. In one example, computing device 202 may be programmed with one or more of modules 102. In this illustrative example, computing device 202 may store all or a portion of targeted attack taxonomy 120 and / or detect security event 210.

  In addition or alternatively, the server 206 may be programmed with one or more of the modules 102. In this example, server 206 may store all or a portion of targeted attack taxonomy 120 and / or detect security event 210. The term “security event” as used herein generally refers to any type or form of event, process, alert, potentially related to and / or affecting the security of a computing device and / or network. And / or an application. Examples of security events 210 include, but are not limited to, sending and / or receiving email, downloading and / or uploading files, creating and / or executing files, network activity and / or communication, malware infection, social engineering An attack, suspicious activity, one or more variants thereof, one or more combinations thereof, or any other security event.

  In one embodiment, when one or more of the modules 102 according to FIG. 1 are executed by at least one processor of the computing device 202 and / or the server 206, the computing device 202 and / or the server 206 is secured. Events can be classified as targeted attacks. For example, as described in more detail below, one or more of the modules 102 may cause the computing device 202 and / or server 206 to (1) detect a security event 210 associated with at least one organization, (2 ) Comparing security event 210 with targeted attack taxonomy 120 that identifies multiple characteristics 122 (1)-(N) of the targeted attack; and (3) comparing security event 210 with targeted attack taxonomy 120. Determining, based at least in part, that the security event 210 is likely to target the organization, and (4) determining that the security event 210 is likely to target the organization. In response, classify security event 210 as a targeted attack It may also be carried out.

  Computing device 202 generally represents any type or form of computing device capable of reading computer-executable instructions. Examples of computing device 202 include, but are not limited to, laptops, tablets, desktops, servers, mobile phones, personal digital assistants (PDAs), multimedia players, embedded systems, wearable devices (eg, smart watches, smart glasses Etc.), a gaming machine, a combination of one or more thereof, the exemplary computing system 610 of FIG. 6, or any other suitable computing device.

  Server 206 generally represents any type or form of computing device that can classify security events as targeted attacks. Examples of server 206 include, but are not limited to, a security server configured to execute a particular software application and / or provide various security services, web services, storage services, and / or database services. Application server, web server, storage server, and / or database server. In one embodiment, the server 206 may belong to a security service provider that is responsible for protecting the target organization from cyber attacks. Although illustrated as a single device, server 206 may represent multiple servers that work in conjunction with each other to protect target organizations from cyber attacks.

  Network 204 generally represents any medium or architecture capable of facilitating communication or data transfer. Examples of the network 204 include, but are not limited to, an intranet, a wide area network (WAN), a local area network (LAN), a personal area network (PAN), and the Internet. , Power line communications (PLC), cellular networks (eg, Global System for Mobile Communications (GSM®) network), exemplary network architecture 700 of FIG. The network 204 may facilitate communication or data transfer using a wireless connection or a wired connection. In one embodiment, network 204 may facilitate communication between computing device 202 and server 206.

  FIG. 3 is a flowchart of an exemplary computer-implemented method 300 for classifying security events as targeted attacks. The steps shown in FIG. 3 may be performed by any suitable computer executable code and / or computing system. In some embodiments, the steps shown in FIG. 3 may be performed on portions of system 100 of FIG. 1, system 200 of FIG. 2, computing system 610 of FIG. 6, and / or exemplary network architecture 700 of FIG. It may be implemented by one or more of the components.

  As shown in FIG. 3, at step 302, one or more of the systems described herein may detect a security event associated with at least one organization. For example, the detection module 104 may detect a security event 210 associated with at least one organization as part of the computing device 202 and / or server 206 of FIG. Examples of such organizations include, but are not limited to, companies, government agencies, military agencies, operators, security customer bases, schools, colleges, universities, research institutions, associations, groups, groups, think tanks, one of them. These variations, combinations of one or more thereof, or any other suitable tissue may be mentioned.

  The systems described herein may implement step 302 in various ways and / or contexts. In some embodiments, the detection module 104 may detect the security event 210 by monitoring specific computing activity within the organization. In one example, the detection module 104 may monitor the computing activity of organizational members and / or employees. For example, the detection module 104 may monitor the computing activity of the computing device 202 operated by organizational members and / or employees. In this illustrative example, detection module 104 may detect security event 210 while monitoring computing activity of computing device 202.

  In some embodiments, the detection module 104 can mine and / or analyze security-related data and / or information (eg, telemetry data) collected from a particular security system implemented by the organization, Security event 210 may be detected. For example, the detection module 104 may represent a portion of a SIEM application implemented by an organization. In this example, the SIEM application can send various security alerts to specific firewalls, network intrusion detection systems (IDS), antivirus solutions, and / or DLP solutions that operate on the organization's computing devices and / or networks. May be collected from. As the SIEM application collects security alerts, the detection module 104 may mine and / or analyze these security alerts for evidence of targeted attacks. Accordingly, the detection module 104 may detect the security event 210 while mining and / or analyzing these alerts.

  Returning to FIG. 3, at step 304, one or more of the systems described herein may compare the security event with a targeted attack taxonomy that identifies multiple characteristics of the targeted attack. For example, as part of computing device 202 and / or server 206 of FIG. 2, decision module 106 may identify security event 210 as a targeted attack that identifies multiple characteristics 122 (1)-(N) of the targeted attack. You may compare with taxonomy 120. The term “targeted attack” as used herein generally refers to any type or form of computer-based attack and / or movement that specifically targets one or more tissues.

  In one example, a targeted attack may target a single tissue. In another example, a targeted attack may target multiple tissues. In addition, or alternatively, portions of the targeted attack may be reused and / or reused from one or more past targeted attacks committed by a particular threat group.

  The systems described herein may implement step 304 in a variety of ways and / or contexts. In one example, the determination module 106 may compare the security event 210 with the targeted attack taxonomy 120 based at least in part on certain characteristics and / or characteristics of the security event 210. For example, the determination module 106 may identify multiple features of the security event 210. In this example, the determination module 106 may compare the characteristics of the security event 210 with the characteristics 122 (1)-(N) identified by the targeted attack taxonomy 120.

  Examples of such features of security event 210 include, but are not limited to, reconnaissance evidence, spear phishing emails, whether security event 210 is directed to high value assets, leaked infrastructure secrets, security event 210 Whether you are involved in fake DDoS, use of a secret backdoor, whether security event 210 is involved in another dormant file that sporadically calls your home, remote desktop and / or VNC tool anomalies Suspicious amount of network traffic sent by the specific file associated with the security event 210, abnormal network behavior at night and / or weekend, whether the security event 210 is involved in reading the password file, One or more variations of al, one or more combinations thereof, or include any other features of the security events 210.

  In one example, decision module 106 may identify each feature of security event 210 that matches at least one of characteristics 122 (1)-(N) identified in targeted attack taxonomy 120. For example, the decision module 106 may iterate through the targeted attack taxonomy 120 for each characteristic for each identified feature of the security event 210. In this example, decision module 106 may identify each feature of security event 210 that matches at least one of characteristics 122 (1)-(N) based at least in part on these iterations. . The decision module 106 may then label each matching feature with an indicator that indicates it. In addition, or alternatively, the determination module 106 may label each matching feature with an indicator that identifies the number of characteristics that the feature matches.

  FIG. 4 is a block diagram of an exemplary targeted attack taxonomy 120. As shown in FIG. 4, the targeted attack taxonomy 120 includes and / or identifies multiple categories 400 (1)-(N) that each include and / or identify characteristics of the targeted attack. Good. The term “category” as used herein generally refers to the clustering and / or grouping of any type or form of properties within a taxonomy. In one embodiment, category 400 (1) of FIG. 4 clusters target attack characteristics 122 (1)-(N) together based at least in part on specific commonality, technology, and / or characteristics. And / or grouping. Similarly, category 400 (N) of FIG. 4 clusters and characterizes targeted attack characteristics 422 (1)-(N) together based at least in part on specific commonality, technology, and / or characteristics. You may group. Examples of categories 400 (1)-(N) include, but are not limited to, reconnaissance evidence, use of secret backdoors, lateral movement, leakage, human-induced attack behavior, attack sophistication, level of risk , One or more variations thereof, one or more combinations thereof, or any other suitable category.

  FIG. 5 is a diagram of an exemplary targeted attack taxonomy 120. As shown in FIG. 5, the targeted attack taxonomy 120 includes exemplary categories 400 (1)-(N) (in this example, “reconnaissance evidence”, “use of a secret backdoor”, etc.), Exemplary characteristics 122 (1)-(4) (in this example, "Detection of spear phishing emails", "Attack against high value assets", "DLP detection of leaked infrastructure secrets", " "Detection of spoofed DDoS attack"), as well as characteristics 422 (1)-(4) (in this example, long-term dormant files that call home sporadically "," abnormal use of remote desktop or VNC ", And / or “amount of network traffic sent by the file” and “abnormal network behavior at night or weekend”).

  In some examples, one or more of the systems described herein may create a targeted attack taxonomy 120. In one embodiment, the taxonomy module 110, as part of the computing device 202 and / or server 206 of FIG. 2, may be based on a targeted attack taxonomy based at least in part on certain characteristics that potentially indicate a targeted attack. 120 may be created. For example, the taxonomy module 110 may collect telemetry data related to security from a specific firewall, network IDS, antivirus solution, and / or DLP solution running on an organization's computing device. In collecting security-related telemetry data, the taxonomy module 110 may mine and / or analyze security-related telemetry data for certain characteristics that are potentially indicative of targeted attacks. The taxonomy module 110 may then create a targeted attack taxonomy 120 based at least in part on this security-related telemetry data mining and / or analysis.

  As a specific example, the taxonomy module 110 may apply certain multi-criteria decision analysis (MCDA) techniques to security related telemetry data. The term “multi-criteria decision analysis” and the abbreviation “MCDA”, as used herein, generally relate to security based at least in part on specific commonality, technology, and / or characteristics. Refers to any type or form of algorithm and / or analysis that clusters and / or groups data and / or information into a data set. Thus, MCDA technology may allow taxonomy module 110 to identify complex patterns and / or relationships between specific security events associated with an organization. For example, taxonomy module 110 may apply MCDA technology to security events involving specific members and / or employees of an organization. By applying MCDA technology to these security events, taxonomy module 110 clusters and / or groups characteristics 122 (1)-(N) and / or 422 (1)-(N), then It may be possible to create a targeted attack taxonomy 120 based at least in part on these clusters and / or groups.

  Additionally or alternatively, the taxonomy module 110 may apply MCDA technology to the targeted attack taxonomy 120 to increase its classification accuracy level. In one example, taxonomy module 110 may apply MCDA technology to determine and / or select a particular threshold for one or more of categories 400 (1)-(N). For example, the taxonomy module 110 may classify the security event 210 as a targeted attack so that any particular security event feature includes at least one of the characteristics 122 (1)-(N) included in the category 400 (1). It may be determined that it is necessary to match three. As a result, taxonomy module 110 may select a threshold value of 3 for category 400 (1). A particular security event may be classified as a non-targeted attack if the characteristics of any particular security event do not match at least three of characteristics 122 (1)-(N).

  In another embodiment, taxonomy module 110 applies MCDA technology to identify categories 400 (1)-(N) and / or characteristics 122 (1)-(N) or 422 (1)-(N). May be determined and / or selected. For example, the taxonomy module 110 may weight at least one of the categories 400 (1)-(N) with respect to each other. As a specific example, the taxonomy module 110 may weight the category 400 (1) with a coefficient 1 or 2 as compared to the category 400 (N). By weighting at least one of the categories 400 (1)-(N) in this manner, the taxonomy module 110 increases or decreases the impact of the category in calculating the taxonomy score for any particular security event. May be.

  Additionally or alternatively, the taxonomy module 110 may weight at least one of the characteristics 122 (1)-(N) or 422 (1)-(N) with respect to each other. For example, the taxonomy module 110 may weight the characteristic 122 (1) by a factor of 3 as compared to the characteristics 122 (N) and / or 422 (1)-(N). By weighting at least one of the categories 400 (1)-(N) and / or characteristics 122 (1)-(N) or 422 (1)-(N) in this way, the taxonomy module 110 is The effect of characteristics in calculating the taxonomy score for any particular security event may be increased or decreased. The term “taxonomy score”, as used herein, generally refers to any type or form of score, number, and / or calculation obtained by comparing a security event with a taxonomy. The taxonomy score may represent the likelihood that a security event is targeting the organization.

  In one embodiment, taxonomy module 110 applies MCDA technology to order 400 for categories 400 (1)-(N) and / or characteristics 122 (1)-(N) or 422 (1)-(N). Weighted averaging (OWA) may be achieved. Additionally or alternatively, taxonomy module 110 allows a user to select one of categories 400 (1)-(N) and / or characteristics 122 (1)-(N) or 422 (1)-(N). It may be possible to control more than one weighting.

  Returning to FIG. 3, at step 306, one or more of the systems described herein target the organization to a security event based at least in part on a comparison of the security event with a targeted attack taxonomy. You may judge that possibility is high. For example, the decision module 106 may, as part of the computing device 202 and / or server 206 of FIG. 2, determine that the security event 210 is responsible for the organization based at least in part on the comparison of the security event 210 and the targeted attack taxonomy 120. It may be determined that the possibility of targeting is high. The terms “target” or “targeting” as used herein generally refer to at least one specific organization (not any indiscriminate organization or user), And / or any type or form of goal, purpose, and / or intention intended.

  The systems described herein may implement step 306 in various ways and / or contexts. In some embodiments, the determination module 106 may determine whether the security event 210 has identified an organization based at least in part on the number of features of the security event 210 that match at least one of the characteristics 122 (1)-(N). It may be determined that the possibility of targeting is high. For example, the determination module 106 may determine that the twelve characteristics of the security event 210 match at least one of the characteristics 122 (1)-(N) identified in the targeted attack taxonomy 120. In this example, the determination module 106 may determine that these 12 matching features of the security event 210 are above a certain threshold (eg, at least 10 matching features). The determination module 106 may then determine that the security event 210 is likely targeting an organization because the number of matching features in the security event 210 is above a threshold.

  In some examples, the determination module 106 may determine that the security event 210 is likely targeting an organization based at least in part on the taxonomy score of the security event 210. For example, the determination module 106 may calculate a taxonomy score 55% of the security score 210. In this example, the taxonomy score indicates that 55% of the identified features of the security event 210 match at least one of the characteristics 122 (1)-(N) identified in the targeted attack taxonomy 120. May be shown. In calculating the taxonomy score for security event 210, determination module 106 may determine that this taxonomy score is above a certain threshold (eg, at least 50%). The determination module 106 may then determine that the security event 210 is likely targeting an organization because the taxonomy score of the security event 210 is above a threshold.

  In some examples, the determination module 106 may determine that the security event 210 is targeting an organization based at least in part on a particular category score for the categories 400 (1)-(N). . For example, the determination module 106 may calculate a category score 50% for the category 400 (1) and a category score 60% for the category 400 (N) for the security event 210. In this example, each category score may indicate the number and / or percentage of characteristics included in the corresponding category in which at least one feature of security event 210 matches. In calculating these category scores for the security event 210, the determination module 106 may determine that these category scores each exceed a corresponding threshold (eg, at least 45% and 55%, respectively). The determination module 106 may then determine that the security event 210 is likely targeting an organization because all of these category scores are above their corresponding thresholds.

  In some embodiments, the determination module 106 targets the organization to the security event 210 based at least in part on the number of categories in which at least one characteristic of the security event 210 matches that characteristic. You may judge that possibility is high. For example, the determination module 106 may determine that the characteristics of the security event 210 match at least one of the characteristics included in the five different categories of the targeted attack taxonomy 120. In other words, the determination module 106 may determine that the characteristics of the security event 210 span five different categories included in the targeted attack taxonomy 120. Additionally or alternatively, the determination module 106 may determine that the number of categories covered by the features of the security event 210 exceeds a particular threshold (eg, at least three categories). The determination module 106 may then determine that the security event 210 is targeting an organization because the number of categories covered by the security event 210 features exceeds a threshold.

  Returning to FIG. 3, in step 308, one or more of the systems described herein responds to a determination that the security event is likely targeting an organization as a targeted attack. You may classify. For example, the classification module 108 may target the security event 210 in response to a determination that the security event 210 is likely targeting an organization as part of the computing device 202 and / or server 206 of FIG. It may be classified as a type attack (or at least part of a target type attack).

  The systems described herein may implement step 308 in various ways and / or contexts. In some embodiments, the classification module 108 may classify the security event 210 as a targeted attack by labeling the security event 210. For example, the classification module 108 may label the security event 210 as being part of a targeted attack on the organization. In this example, the label may effectively categorize security event 210 as part of a targeted attack on the organization.

  In some embodiments, the classification module 108 may classify the security event 210 as a targeted attack by assigning the security event 210 to a known threat group. For example, the decision module 106 may be based on a comparison of the security event 210 and the targeted attack taxonomy 120 based on a threat group known as a “purple token” that violates the security event 210. You may judge that the nature is high. As a result, the classification module 108 may label the security event 210 as being committed by a “purple token” threat group. This label may effectively attribute security event 210 to the “purple token” threat group.

  In some embodiments, the classification module 108 may classify the security event 210 as a targeted attack by clustering and / or grouping the security event 210 with one or more other security events. For example, the decision module 106 may be based at least in part on a comparison of the security event 210 and the targeted attack taxonomy 120, where the security event 210 and one or more other security events represent a part of the same targeted attack. You may judge that the nature is high. As a result, the classification module 108 may label security events 210 and / or other security events as being part of each of the same targeted attacks. This label may effectively cluster and / or group security events 210 with other security events associated with targeted attacks.

  In one example, the classification module 108 may notify the target organization that the security event 210 is likely a targeted attack. For example, the classification module 108 may indicate that the “purple token” threat group is attempting to penetrate, infiltrate, and / or infect an organization through security events 210 and / or targeted attacks. You may notify the house. By notifying the IT professional of this attempt, the classification module 108 allows the target organization's IT professional to deploy valid responses in a timely manner to mitigate and / or disable security events 210 and / or targeted attacks. You may be able to do that.

  Additionally or alternatively, the classification module 108 may label any malicious executable file involved and / or associated with the security event 210 and / or targeted attack. For example, the classification module 108 may identify malicious executable files transferred in association with the security event 210. The classification module 108 may then label this malicious executable file as being involved and / or associated with the security event 210. This label may effectively link this malicious executable file to security event 210 and / or targeted attacks.

  In one example, the classification module 108 may notify at least one user and / or organization that the computing device is infected with a malicious executable file. For example, the classification module 108 may inform the target organization's IT specialist that one or more computing devices belonging to the target organization are infected with a malicious executable file. In this example, the notification may indicate that the “Purple Token” threat group has produced and / or distributed a malicious executable file. By notifying IT professionals of this infection, classification module 108 allows IT professionals to deploy valid responses in a timely manner to mitigate and / or nullify any harm caused by malicious executable files. May be possible.

  As described above in connection with the method 300 of FIG. 3, the SIEM may create a taxonomy with characteristics indicative of a targeted attack. In one example, the SIEM may identify security events by collecting security-related telemetry data from various security systems that protect an organization's computing devices and / or networks. In identifying a security event, the SIEM may score the security event based at least in part on the amount of characteristics shared by and / or common to both the security event and the taxonomy.

  This score may essentially represent the likelihood that a security event is targeting the organization. In other words, the score may reflect the amount of evidence presenting that the security event is a targeted attack or just promiscuous malware. On the other hand, if the security event and taxonomy share a relatively large number of characteristics, the security event score may be relatively high, thereby indicating that the security event is a targeted attack. On the other hand, if the characteristics shared by security events and taxonomies are relatively few, the security event score may be relatively low, which suggests that the security event is an indiscriminate non-targeted attack .

  FIG. 6 is a block diagram of an exemplary computing system 610 that can implement one or more of the embodiments described and / or illustrated herein. For example, all or a portion of the computing system 610, alone or in combination with other elements, can include one of the steps described herein (such as one or more of the steps illustrated in FIG. 3). One or more may be implemented and / or a means for implementing it. All or a portion of computing system 610 may also perform and / or means for performing any other steps, methods, or processes described and / or illustrated herein. It may be.

  Computing system 610 broadly represents any single or multiprocessor computing device or system capable of executing computer readable instructions. Examples of computing system 610 include, but are not limited to, workstations, laptops, client-side terminals, servers, distributed computing systems, handheld devices, or any other computing system or device. In its most basic configuration, computing system 610 may include at least one processor 614 and system memory 616.

  The processor 614 generally represents any type or form of physical processing device (eg, a hardware-implemented central processing unit) capable of processing data or interpreting and executing instructions. In certain embodiments, processor 614 may receive instructions from a software application or module. These instructions may cause processor 614 to perform one or more of the functions of the exemplary embodiments described and / or illustrated herein.

  System memory 616 generally represents any type or form of volatile or non-volatile storage device or medium capable of storing data and / or other computer-readable instructions. Examples of system memory 616 include, but are not limited to, random access memory (RAM), read only memory (ROM), flash memory, or any other suitable memory device. Although not required, in certain embodiments, the computing system 610 includes a volatile memory unit (eg, system memory 616, etc.) and a non-volatile storage device (eg, primary storage device 632, etc., as described in detail below). ) May be included. In one embodiment, one or more of the modules 102 of FIG. 1 may be loaded into the system memory 616.

  In certain embodiments, exemplary computing system 610 may also include one or more components or elements in addition to processor 614 and system memory 616. For example, as shown in FIG. 6, the computing system 610 may include a memory controller 618, an input / output (I / O) controller 620, and a communication interface 622, each of which communicates with each other via a communication infrastructure 612. It may be connected. Communication infrastructure 612 generally represents any type or form of infrastructure that can facilitate communication between one or more components of a computing device. Examples of communication infrastructure 612 include, but are not limited to, a communication bus (such as an industry standard architecture (ISA), peripheral device interconnect (PCI), PCI express (PCIe), or similar bus) and a network.

  Memory controller 618 generally represents any type or form of device that can handle memory or data or control communication between one or more components of computing system 610. For example, in certain embodiments, memory controller 618 may control communications between processor 614, system memory 616, and I / O controller 620 via communication infrastructure 612.

  The I / O controller 620 generally represents any type or form of module that can coordinate and / or control the input / output functions of a computing device. For example, in certain embodiments, I / O controller 620 includes one or more elements of computing system 610, such as processor 614, system memory 616, communication interface 622, display adapter 626, input interface 630, and storage interface 634. Data transfer between them may be controlled or facilitated.

  Communication interface 622 broadly represents any type or form of communication device or adapter that can facilitate communication between exemplary computing system 610 and one or more additional devices. For example, in certain embodiments, communication interface 622 may facilitate communication between computing system 610 and a private or public network that includes additional computing systems. Examples of communication interface 622 include, but are not limited to, a wired network interface (such as a network interface card), a wireless network interface (such as a wireless network interface card), a modem, and any other suitable interface. In at least one embodiment, communication interface 622 may provide a direct connection to a remote server via a direct link to a network, such as the Internet. Communication interface 622 may also provide such connection through, for example, a local area network (such as an Ethernet network), a personal area network, a telephone or cable network, a cellular telephone connection, a satellite data connection, or any other suitable connection. May be provided indirectly.

  In certain embodiments, the communication interface 622 is also configured to facilitate communication between the computing system 610 and one or more additional networks or storage devices via an external bus or communication channel. May represent a host adapter. Examples of host adapters include, but are not limited to, small computer system interface (SCSI) host adapters, universal serial bus (USB) host adapters, the Institute of Electrical and Electronics Engineers (IEEE) 1394 host adapters, advanced technology attachments (ATA), parallel Examples include ATA (PATA), serial ATA (SATA), and external SATA (eSATA) host adapters, fiber channel interface adapters, and Ethernet (registered trademark) adapters. Communication interface 622 may also allow computing system 610 to participate in distributed or remote computing. For example, the communication interface 622 may receive instructions from a remote device or send instructions to a remote device for execution.

  As shown in FIG. 6, the computing system 610 may also include at least one display device 624 that is coupled to the communication infrastructure 612 via a display adapter 626. Display device 624 generally represents any type or form of device capable of visually displaying information transferred by display adapter 626. Similarly, display adapter 626 generally transfers graphics, text, and other data from communication infrastructure 612 (or from a frame buffer as is known in the art) for display on display device 624. Represents any type or form of device configured to.

  As shown in FIG. 6, the exemplary computing system 610 may also include at least one input device 628 that is coupled to the communication infrastructure 612 via an input interface 630. Input device 628 generally represents any type or form of input device that can provide input generated by either a computer or a human to the exemplary computing system 610. Examples of the input device 628 include, but are not limited to, a keyboard, a pointing device, a voice recognition device, or any other input device.

  As shown in FIG. 6, the exemplary computing system 610 may also include a primary storage device 632 and a backup storage device 633 that are coupled to the communication infrastructure 612 via a storage interface 634. Storage devices 632 and 633 generally represent any type or form of storage device or medium capable of storing data and / or other computer readable instructions. For example, the storage devices 632 and 633 may be magnetic disk drives (eg, so-called hard drives), solid state drives, floppy disk drives, magnetic tape drives, optical disk drives, flash drives, and the like. Storage interface 634 generally represents any type or form of interface or device for transferring data between storage devices 632 and 633 and other components of computing system 610.

  In certain embodiments, the storage devices 632 and 633 are configured to read from and / or write to a removable storage unit configured to store computer software, data, or other computer readable information. May be. Examples of suitable removable storage units include, but are not limited to, floppy disks, magnetic tapes, optical disks, flash memory devices, and the like. Storage devices 632 and 633 may also include other similar structures or devices that allow computer software, data, or other computer-readable instructions to be loaded into computing system 610. For example, the storage devices 632 and 633 may be configured to read and write software, data, or other computer readable information. Storage devices 632 and 633 may also be part of computing system 610 or may be separate devices accessed via other interface systems.

  Many other devices or subsystems may be connected to computing system 610. Conversely, not all of the components and devices shown in FIG. 6 need be present to practice the embodiments described and / or illustrated herein. The devices and subsystems referred to above may also be interconnected differently than shown in FIG. The computing system 610 may also use any number of software, firmware, and / or hardware configurations. For example, one or more of the exemplary embodiments disclosed herein are encoded on a computer readable medium as a computer program (also referred to as computer software, software application, computer readable instructions, or computer control logic). May be. The term “computer-readable medium” as used herein generally refers to any form of device, carrier, or medium that can store or retain computer-readable instructions. Examples of computer readable media include, but are not limited to, transmission media such as carrier waves, and magnetic storage media (eg, hard disk drives, tape drives, and floppy disks), optical storage media (eg, compact disks (CDs), Non-transitory media such as digital video discs (DVD) and Blu-ray (BLU-RAY®) discs, electronic storage media (eg, solid state drives and flash media), and other distributed systems.

  A computer readable medium containing the computer program may be loaded into the computing system 610. All or a portion of the computer program stored on the computer readable medium may then be stored in the system memory 616 and / or in various portions of the storage devices 632 and 633. When executed by processor 614, a computer program loaded into computing system 610 causes processor 614 to perform one or more of the functions of the exemplary embodiments described and / or illustrated herein. And / or a means for implementing them. Additionally or alternatively, one or more of the exemplary embodiments described and / or illustrated herein may be implemented in firmware and / or hardware. For example, the computing system 610 may be configured as an application specific integrated circuit (ASIC) adapted to implement one or more of the exemplary embodiments disclosed herein.

  FIG. 7 is a block diagram of an exemplary network architecture 700 in which client systems 710, 720, and 730 and servers 740 and 745 may be coupled to a network 750. As detailed above, all or part of the network architecture 700, alone or in combination with other elements, can include one or more of the steps disclosed herein (one of the steps shown in FIG. 3). Etc.) and / or means for implementing it. All or part of network architecture 700 may also be used to implement and / or be a means for performing other steps and features described in this disclosure.

  Client systems 710, 720, and 730 generally represent any type or form of computing device or system, such as the exemplary computing system 610 of FIG. Similarly, servers 740 and 745 generally represent computing devices or systems, such as application servers or database servers, that are configured to provide various database services and / or execute specific software applications. . Network 750 generally represents any telecommunications or computer network including, for example, an intranet, WAN, LAN, PAN, or the Internet. In one embodiment, client systems 710, 720, and / or 730, and / or servers 740 and / or 745 may include all or part of system 100 from FIG.

  As shown in FIG. 7, one or more storage devices 760 (1)-(N) may be directly attached to the server 740. Similarly, one or more storage devices 770 (1)-(N) may be directly attached to server 745. Storage devices 760 (1)-(N) and storage devices 770 (1)-(N) may generally be any type or form of storage device that can store data and / or other computer-readable instructions or Represents the medium. In certain embodiments, storage devices 760 (1)-(N) and storage devices 770 (1)-(N) are network file system (NFS), server message block (SMB), or common internet file system (CIFS). ) May be used to represent network attached storage (NAS) devices configured to communicate with servers 740 and 745.

  Servers 740 and 745 may also be connected to a storage area network (SAN) fabric 780. SAN fabric 780 generally represents any type or form of computer network or architecture that can facilitate communication between multiple storage devices. The SAN fabric 780 may facilitate communication between the servers 740 and 745 and the plurality of storage devices 790 (1)-(N) and / or the intelligent storage array 795. The SAN fabric 780 also provides the network 750 and server 740 in such a way that the storage devices 790 (1)-(N) and the intelligent storage array 795 appear as devices attached locally to the client systems 710, 720, and 730. And 745 may facilitate communication between client systems 710, 720, and 730 and devices 790 (1)-(N) and / or array 795. Similar to storage devices 760 (1)-(N) and storage devices 770 (1)-(N), storage devices 790 (1)-(N) and intelligent storage array 795 generally have data and / or other Represents any type or form of storage device or medium capable of storing computer readable instructions.

  In certain embodiments, referring to the exemplary computing system 610 of FIG. 6, a communication interface, such as the communication interface 622 of FIG. 6, is between the respective client systems 710, 720, and 730 and the network 750. It may be used to provide a connection. Client systems 710, 720, and 730 may be able to access information on server 740 or 745 using, for example, a web browser or other client software. In such software, the client systems 710, 720, and 730 have the server 740, server 745, storage devices 760 (1) to (N), storage devices 770 (1) to (N), and storage devices 790 (1) to (N). N), or may allow access to data hosted by the intelligent storage array 795. Although FIG. 7 illustrates using a network (such as the Internet) to exchange data, the embodiments described and / or illustrated herein may be based on the Internet or any particular network-based It is not limited to the environment.

  In at least one embodiment, all or part of one or more of the exemplary embodiments disclosed herein are encoded as a computer program and are server 740, server 745, storage device 760 (1). ~ (N), storage devices 770 (1)-(N), storage devices 790 (1)-(N), intelligent storage array 795, or any combination thereof may be loaded and executed by them . All or part of one or more of the exemplary embodiments disclosed herein may also be encoded as a computer program, stored on server 740, operated by server 745, and client system over network 750. 710, 720, and 730 may be distributed.

  As detailed above, one or more components of computing system 610, and / or network architecture 700, each alone or in combination with other elements, are examples of classifying security events as targeted attacks. One or more steps of the method may be performed and / or may be a means for performing.

  Although the foregoing disclosure describes various embodiments using specific block diagrams, flowcharts, and examples, each block diagram component, flowchart described and / or illustrated herein. The steps, operations, and / or components may be implemented individually and / or collectively using a wide variety of hardware, software, or firmware (or any combination thereof) configurations. In addition, since many other architectures can be implemented to achieve the same functionality, any disclosure of components contained within other components should be considered essentially exemplary. is there.

  In some embodiments, all or part of the example system 100 of FIG. 1 may represent a part of a cloud computing environment or a network-based environment. A cloud computing environment may provide various services and applications via the Internet. These cloud-based services (eg, software as a service, platform as a service, infrastructure as a service, etc.) may be accessible through a web browser or other remote interface. The various functions described herein may be provided through a remote desktop environment or any other cloud-based computing environment.

  In various embodiments, all or a portion of the example system 100 of FIG. 1 may facilitate multi-tenancy within a cloud-based computing environment. In other words, the software modules described herein may configure a computing system (eg, a server) to facilitate multi-tenancy for one or more of the functions described herein. . For example, one or more of the software modules described herein program a server to allow two or more clients (eg, customers) to share applications running on the server. May be. A server programmed in this manner may share applications, operating systems, processing systems, and / or storage systems among multiple customers (ie, tenants). One or more of the modules described herein may also partition multi-tenant application data and / or configuration information for each customer so that one customer cannot access another customer's data and / or configuration information. Also good.

  According to various embodiments, all or part of the example system 100 of FIG. 1 may be implemented in a virtual environment. For example, the modules and / or data described herein may reside and / or execute within a virtual machine. As used herein, the term “virtual machine” generally refers to any operating system environment that is extracted from computing hardware by a virtual machine manager (eg, a hypervisor). In addition, or alternatively, the modules and / or data described herein may reside and / or execute within the virtualization layer. As used herein, the term “virtualization layer” generally refers to any data layer and / or application layer that overlays and / or is extracted from the operating system environment. The virtualization layer may be managed by a software virtualization solution (eg, a file system filter) that presents the virtualization layer as if it were part of the underlying base operating system. For example, a software virtualization solution may redirect a call that is initially directed to a location in the base file system and / or registry to a location in the virtualization layer.

  In some embodiments, all or a portion of the example system 100 of FIG. 1 may represent a portion of a mobile computing environment. Mobile computing environments include a wide range of mobile computing including mobile phones, tablet computers, ebook readers, personal digital assistants, wearable computing devices (eg, computing devices with head-mounted displays, smart watches, etc.) It may be realized by a device. In some embodiments, the mobile computing environment can be, for example, dependent on battery power, presentation of only one foreground application at any given time, remote management mechanism, touch screen mechanism, location and movement data. (E.g., provided by a global positioning system, gyroscope, accelerometer, etc.), limit modifications to system-level configurations, and / or limit the ability of third party software to inspect the behavior of other applications May have one or more distinct features, such as restricted platform, control to restrict application installation (eg, only from authorized application stores). The various functions described herein may be provided for and / or interact with a mobile computing environment.

  In addition, all or part of the example system 100 of FIG. 1 may represent, interact with, and be generated by one or more parts of the system for information management. Data may be consumed and / or data consumed thereby may be generated. As used herein, the term “information management” may refer to the protection, organization, and / or storage of data. Examples of systems for information management include, but are not limited to, storage systems, backup systems, archive systems, replication systems, high availability systems, data retrieval systems, virtualization systems, and the like.

  In some embodiments, all or a portion of the example system 100 of FIG. 1 may represent one or more system portions for information security, generating data protected thereby. And / or may communicate with it. As used herein, the term “information security” may refer to controlling access to protected data. Examples of systems for information security include, but are not limited to, systems that provide managed security services, data loss prevention systems, identity authentication systems, access control systems, encryption systems, policy compliance systems, intrusion detection and Prevention systems, electronic evidence disclosure systems, and the like.

  According to some embodiments, all or part of the example system 100 of FIG. 1 may represent and communicate with one or more parts of the system for endpoint security, And / or may receive protection therefrom. As used herein, the term “endpoint security” may refer to protecting an endpoint system from unauthorized and / or illegal use, access, and / or control. Examples of systems for endpoint protection include, but are not limited to, anti-malware systems, user authentication systems, encryption systems, privacy systems, spam filtering services, and the like.

  The process parameters and order of steps described and / or illustrated herein are given by way of example only and can be varied as desired. For example, although the steps illustrated and / or described herein may be illustrated or discussed in a particular order, these steps need not necessarily be performed in the order illustrated or discussed. Various exemplary methods described and / or illustrated herein may also omit one or more of the steps described or illustrated herein, or may include additional steps in addition to those disclosed. May be included.

  Although various embodiments have been described and / or illustrated herein in the context of a fully functional computing system, one or more of these exemplary embodiments may actually implement the distribution. Regardless of the particular type of computer readable medium used, the program product may be distributed in various forms. The embodiments disclosed herein may also be implemented using software modules that perform specific tasks. These software modules may include scripts, batches, or other executable files that may be stored on a computer-readable storage medium or computing system. In some embodiments, these software modules may configure a computing system to implement one or more of the exemplary embodiments disclosed herein.

  In addition, one or more of the modules described herein may convert data, physical devices, and / or physical device representations from one form to another. For example, one or more of the modules listed herein receives telemetry data related to the security to be converted, converts the telemetry data related to the security, and outputs the result of the conversion as a targeted attack taxonomy. The transformation result may be used to identify the targeted attack, and the transformation result may be stored for future use. Additionally or alternatively, one or more of the modules listed herein execute on the computing device, store data on the computing device, and / or otherwise compute. By interacting with the device, the processor, volatile memory, non-volatile memory, and / or any other part of the physical computing device may be converted from one form to another.

  The foregoing description has been provided to enable other persons skilled in the art to best utilize various aspects of the exemplary embodiments disclosed herein. This exemplary description is not intended to be exhaustive or to be limited to any precise form disclosed. Many modifications and variations are possible without departing from the spirit and scope of this disclosure. The embodiments disclosed herein are to be considered in all respects as illustrative and not restrictive. In determining the scope of the disclosure, reference should be made to the appended claims and their equivalents.

  Unless otherwise stated, the terms “connected to” and “coupled to” (and their derivatives), as used in the specification and claims, refer to direct connection and indirect. It is to be construed as allowing both connections (ie, via other elements or components). In addition, the term “a” or “an”, when used herein and in the claims, is to be interpreted as meaning “at least one of”. Finally, for the sake of brevity, the terms “including” and “having” (and their derivatives) are interchangeable with the word “comprising” as used herein and in the claims, Have the same meaning.

Claims (11)

A computer-implemented method for classifying a security event as a targeted attack, wherein at least a portion of the method is performed by a computing device comprising at least one processor, the method comprising:
Detecting at least one malicious security event associated with at least one organization;
Comparing the malicious security event to a targeted attack taxonomy comprising a plurality of categories , each category comprising a plurality of characteristics of the targeted attack ;
Based at least in part on a comparison between the malicious security event and the targeted attack taxonomy,
Calculating a category score for each category within the plurality of categories included in the targeted attack taxonomy based at least in part on a comparison of the malicious security event and the targeted attack taxonomy;
Determining the number of features of the malicious security event that match the corresponding characteristics identified in the targeted attack taxonomy;
Based on each category score and the number of features of the malicious security event that match the corresponding characteristic identified in the targeted attack taxonomy, the malicious security event is promiscuous or non-targeted Calculating a taxonomy score that represents the possibility of being part of a targeted attack movement rather than an attack,
Determining that the taxonomy score is above a certain threshold;
Determining that the malicious security event is likely to specifically target the organization;
In response to determining that the malicious security event is likely to specifically target the organization, the malicious security event is sent to the organization instead of promiscuous or non-targeted attacks. Classifying it as part of the targeted attack movement specifically targeted,
Including a method. Comparing the malicious security event with a targeted attack taxonomy,
Identifying a plurality of characteristics of the malicious security event;
The method of claim 1, comprising comparing the plurality of characteristics of the malicious security event with the plurality of characteristics identified by the targeted attack taxonomy. Wherein for increasing or decreasing the influence of the characteristic in the calculation of taxonomy score further comprises weighting at least one of the characteristics identified in the targeted attacks taxonomy The method of claim 1. The method of claim 1 , wherein determining that the malicious security event is likely to target the organization includes determining that each category score is above a corresponding threshold. Determining that the malicious security event is likely targeting the organization,
Further comprising weighting at least one category score to increase or decrease the effect of the category score in calculating the taxonomy score;
The method of claim 1 . Collecting security-related telemetry data from at least one security system;
Identifying a plurality of characteristics indicative of a targeted attack in the security related telemetry data;
Creating the targeted attack taxonomy from the plurality of characteristics indicative of a targeted attack;
The method of claim 1, further comprising: The method of claim 1, further comprising notifying the organization that the malicious security event is classified as part of a targeted attack campaign that specifically targets the organization. A system for classifying security events as targeted attacks,
A detection module stored in memory for detecting a malicious security event associated with at least one organization;
A decision module stored in memory,
Comparing the malicious security event to a targeted attack taxonomy comprising a plurality of categories , each category comprising a plurality of characteristics of the targeted attack;
Based at least in part on a comparison between the malicious security event and the targeted attack taxonomy,
Calculating a category score for each category within the plurality of categories included in the targeted attack taxonomy based at least in part on a comparison of the malicious security event and the targeted attack taxonomy;
Determining the number of features of the malicious security event that match the corresponding characteristics identified in the targeted attack taxonomy;
Based on each category score and the number of features of the malicious security event that match the corresponding characteristic identified in the targeted attack taxonomy, the malicious security event is promiscuous or non-targeted Calculating a taxonomy score that represents the possibility of being part of a targeted attack movement rather than an attack,
Determining that the taxonomy score is above a certain threshold;
A determination module that determines that the malicious security event is likely to specifically target the organization;
In response to a determination that the malicious security event is likely to specifically target the organization, the malicious security event may be made specific to the organization instead of promiscuous or non-targeted attacks. A classification module stored in memory that classifies as part of the targeted attack movement that is targeted to
At least one processor executing the detection module, the determination module, and the classification module;
A system comprising: The determination module is
Identifying a plurality of characteristics of the malicious security event;
Comparing the plurality of characteristics of the malicious security event with the plurality of characteristics identified in the targeted attack taxonomy;
9. The system of claim 8, wherein the system compares the malicious security event with the targeted attack taxonomy. 9. The system of claim 8 , further comprising weighting at least one of the characteristics identified in the targeted attack taxonomy to increase or decrease the effect of the characteristic in calculating the taxonomy score. A non-transitory computer-readable medium containing one or more computer-executable instructions when executed by at least one processor of a computing device,
Detecting a malicious security event associated with at least one organization;
Comparing the malicious security event to a targeted attack taxonomy comprising a plurality of categories , each category comprising a plurality of characteristics of the targeted attack ;
Based at least in part on a comparison between the malicious security event and the targeted attack taxonomy,
Calculating a category score for each category within the plurality of categories included in the targeted attack taxonomy based at least in part on a comparison of the malicious security event and the targeted attack taxonomy;
Determining the number of features of the malicious security event that match the corresponding characteristics identified in the targeted attack taxonomy;
Based on each category score and the number of features of the malicious security event that match the corresponding characteristic identified in the targeted attack taxonomy, the malicious security event is promiscuous or non-targeted Calculating a taxonomy score that represents the possibility of being part of a targeted attack movement rather than an attack,
Determining that the taxonomy score is above a certain threshold;
Determining that the malicious security event is likely to specifically target the organization;
In response to determining that the malicious security event is likely to specifically target the organization, the security event may be specifically identified instead of indiscriminate or non-targeted attacks. Classifying it as part of a targeted attack movement targeted to
A non-transitory computer readable medium

Images